Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 09/17/2012 09:47 AM, Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. You need to choose all option to ignore the values from this field. Thanks, Mike -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-17, at 10:33 AM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True Hello, I setup default.conf with debug = True, and I am unable to reproduce the different results? Removed the debug statement and restart httpd, both interfaces produce the same result (success). Thanks, Mike and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. Please let me know if you need more details or you already found this info from mail archives and docs. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HBAC Test - web vs command line - returns different results
Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
